We have been on record here at C:V. about how HOT we think the Enterprise Security space is so we decided to dive even deeper and perform our first valuation on Shape Security. We made this a type of “Dueling Valuations” post with our initial valuation thesis and then a rebuttal post from a guest writer and fellow VC fanatic.

Have a comment? Think we were absolutely insane for valuing the way we did? Think we were spot on and want to hire us? Email us here or send us a comment on the Contact Us page. We welcome all thoughts/feedback!

*Editor’s note: We are not VC’s, we are simply fanatics about the space and want an outlet to post our musings on. All our research was done from browsing the internet and applying a few concepts/spreadsheets from Grad School (CGSOM represent!). We are more than happy to share our findings with you. Seriously though, we built out a minimalist cap table and pro-forma’s to factor growth expectations and we would be glad to send them along (we promise, we DO have social lives too…)

C:V. ‘s Attempt:

Overview: Shape Security is an Enterprise Security company that has pioneered a revolutionary way to deflect cyber-attacks on websites. With its flagship product, ShapeShifter, what was normal code on a website becomes polymorphic (think random number generator) to distract attackers from taking vital information. This is done completely in the background with no impact on the operation of the website.

Market: One Word: MASSIVE. Gartner estimates that Security spending in 2012 alone was $62B and is expected to grow to $86B by 2016. This aggressive growth combined with the increasing mindshare that security is gaining inside Fortune 500 Board Rooms makes for a very compelling market sizing argument.

People: If you read our Round of the Week on Shape, you know how impressed we were by the caliber of talent they have at their disposal (See here for full post). Their team of Board members, Investors, and Executives is easily one of the best in the Enterprise Security space. Don’t believe us? The proof is in the funding. We don’t know of many Enterprise Security companies that can raise over $25M while STILL in stealth…

Product: First Mover advantage? Check. 20 customers in the Fortune 200? Check. Appliance/Subscription business model with 7 figure price point? Check. If an Enterprise Security startup had a wish list for creating a quality product, we are pretty sure these would be at the top of it.

Threats: The opportunity is clearly there for Shape, yet it is not without significant risks. The cybersecurity game is one where the good guys are always playing catch up and the attackers are always finding new ways to extract the data they need. In this ever-changing model, there will continually be new prevention techniques and if Shape cannot capitalize on its current opportunity while continuing to invest for the future, it will have a very tough time remaining competitive.

Valuation: We placed a $130M pre-money valuation on this round. We feel this is a fair valuation at this point in time given numerous factors and have highlighted the key points below.

C Round: Given this is a C round ($6M A, $20M B), we feel that 24% is an appropriate balance of ownership at this stage for the investors and employees. We think it stays in line with what earlier rounds offered, as well as provides enough incentive (re: hurdle rate, same or better as prior) for the investors to depart with their capital.

Ability to Scale/Cash Burn: This funding should provide Shape with enough resources to scale their enterprise offering and sales team. Additionally, based on our estimate of Shape’s Cash Burn, we feel they should have enough cash for at least 12-18 months depending on revenue growth. These factors should allow Shape to become laser focused on disrupting the market and greatly contributes to their value.

While I share your optimism for the company, I’d like to take a look three hurdles they face. Maybe after seeing those, we’ll see if a fair value emerges – and just as Shape emerges from the shadows of stealth.

Threats:

Replication and Replacement: While their polymorphic approach is certainly novel, especially considering their hardware approach, it is not the end-all be-all — and many other solutions exist under $1,000,000. Take Cross-Site Request Forgery (listed on their “Product” page as a sample attack). In many cases, a simple CSRF token can be a viable option which might only take one developer a couple of weeks to roll out across the board. While ShapeShifter offers a suite of solutions, the price tag may convince larger firms to devote developers’ time towards matching their capabilities. Where there’s money to be made or saved, people will flock.

Outrunning the Other Campers: I liked the analogy of “you don’t have to outrun the bear; just don’t be the slowest one running,” for deflecting attacks. Many hackers will no doubt go after weaker, easier targets. But where the analogy comes up short is when one camper is already dripping in honey, where’s the bears focus going to be? If you’re sitting in, say, Amazon’s shoes, do you really expect to pass off all threats to other smaller competitors? You’re going to be too valuable of a catch.

Constantly Changing Landscape: This iteration of ShapeShifter technology will not be the company’s last. To truly offer the “comprehensive defense,” they will have to innovate at the same rate as a world of thousands of hackers who have big paydays on the line. They were able to roll out the technology in apparently as short as two years, and that development time may decrease with a higher headcount, but I worry that they’ll end up just like Randy Marsh playing Heroin Hero.

Wildcard Prediction: I’m not all pessimism, guys. Here’s an upside you might not have seen coming. One source of funds I didn’t see backing Shape could become of one of their biggest customers: the Department of Defense. Given CEO Sumit Agarwal’s time spent at the Pentagon, he must have a sense of what the government needs as the U.S. becomes vulnerable to threats beyond trench warfare and the Redcoats (Russia is apparently still on the table, though). While nothing has been announced, it seems that massive DoD grants could have provided some easy non-dilutive funding – except for that pesky caveat of nonexclusive, irrevocable, royalty-free licenses… This leads me to believe they see them as a target customer, and boy, are they a big one.

Valuation:

With those, I tried to reverse-engineer the deal as best as I could. I think the deal was for 30% of the company (Series C, but with pro-rata follow-ups from GV, KPCB, etc.), and with that we’re looking at a pre-money valuation right around $95M. This would put their EV/Revenue multiple more in the realm of 3-5x, depending on what those early customers were willing to pay. This indicates some serious growth potential, but nothing’s a lock in the ever-evolving battle waged against cybercriminals.

I expect that this company could surpass $1B in value by 2020. With an exit at that, to one of the big guns who truly can offer a comprehensive security package, the VC’s would be looking at a 40%+ return – not bad for getting in at a Series C.

And when the team is this strong, you trust in their judgment of the market needs.

Good (feels extra early) Morning from C:V. HQ! We hope you have survived the annual “Spring Ahead” daylight savings switch and what better way to kick-start your week into gear than with an all new Monday Morning Memo!

This week you can expect a VC spotlight, a round of the week, and our first valuation attempt. We may also add in a book review and we have a “March Madness” themed surprise starting the following week, so stay tuned!